Executive Summary
Cisco Talos researchers recently reported on new activity perpetrated by Russian nexus threat actor group Armageddon. The group is using a new infostealer to target entities in Ukraine.
Key Takeaways
- Armageddon is a Russian nexus threat actor group with a history of targeting Ukraine.
- Armageddon uses phishing emails with malicious documents as bait.
- The recent campaign uses a new infostealer not previously observed in the wild.
- The infostealer is capable of stealing files from the victim machine and any connected removable drives.
According to Cisco Talos, Armageddon (Gamaredon) is targeting entities in Ukraine with RAR archives distributing malicious LNK files. The campaign has been active since at least August 2022.
The infection chain begins with phishing emails using lures related to the Russia-Ukraine conflict. The emails deliver malicious Office documents with remote templates containing malicious VBS macros. These macros download and open RAR compressed files containing LNK files.
The LNK files execute MSHTA.EXE to download and parse a remote XML file and execute a PowerShell script. Thie PowerShell script decodes and executes a second PowerShell script, which is an instrumentor used to collect victim data and report it to the C2. It is interesting to note the server only allows access from IP addresses allocated to Ukraine’s address space. The script also gives the C2 the ability to send a PowerShell command or encrypted VBScript to be executed. The instrumentor script has a function to decode the encrypted response from the C2 and execute it as a VBScript object.
The C2 can send multiple payloads, including a PowerShell script to maintain persistence and an infostealer. Cisco Talos notes the infostealer appears to be a new tool not used in previous campaigns.The infostealer exfiltrates files with the following extensions from the victim machine: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. It is capable of stealing files from the victim machine and any connected removable drives.
Who is Armageddon?
Armageddon, also known as Gameredon, Shuckworm, or Primitive Bear, is one of the most active APT groups targeting Ukrainian assets. The group’s past campaigns have involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated Armageddon has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Armageddon does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some TTPs used by Armageddon include spearphishing, PowerShell, UltraVNC, FileStealer, EvilGnome, and Pterodo. We published a blog post on Pterodo earlier this year.
IOCs
PolySwarm has multiple samples associated with this campaign.
4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650
581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a
1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447
A9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7
8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a
5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb
1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c
You can use the following CLI command to search for all Armageddon samples in our portal:
$ polyswarm link list -f Gameredon
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports